graineai
v1.0.1Manage voice agents, place and transfer calls, handle telephony events, and retrieve call records using the NoddyAI API at graine.ai.
⭐ 0· 74·0 current·0 all-time
byRishabh Bhanot@rishabh171998
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The skill claims to manage voice agents and telephony on graine.ai and all documented endpoints match that purpose. One minor inconsistency: SKILL.md explicitly requires a Graine/NoddyAI API key (gat_...) and an org_id, but the registry metadata lists no required env vars — the documentation asks the host to supply secrets, yet those secrets are not declared in the skill metadata.
Instruction Scope
SKILL.md and the example files limit actions to constructing HTTP calls to https://api.graine.ai, handling call-related resources, and instruct users to obtain explicit consent for high-impact actions (outbound calls, transfers, deletes). There are no instructions to read unrelated files, probe other services, or exfiltrate data.
Install Mechanism
No install spec or code is included — this is instruction-only markdown, so nothing is written to disk or executed by an installer.
Credentials
Requesting an API key (gat_...) and org_id is proportionate to telephony/agent management. The skill appropriately asks the host to provide these secrets rather than embedding them. However, those required credentials are not reflected in the registry's required-env metadata, which may cause confusion during install/configuration.
Persistence & Privilege
The skill is not force-included (always: false) and does not request system-wide persistence or access to other skills' configs. The default ability for the agent to invoke the skill autonomously is enabled, but SKILL.md emphasizes explicit user confirmation for high-impact actions.
Assessment
This package is documentation-only and appears to be what it claims: a reference for calling graine.ai/NoddyAI APIs. Before installing or enabling it, verify the following: 1) The host/workspace must supply your Graine API key (gat_...) and org_id securely — confirm where those secrets are stored and who/what can access them, since the skill metadata did not declare them. 2) Understand billing/telephony implications: outbound or batch calls may incur costs and legal requirements (consent, local regulations). 3) Confirm webhook URLs before you PATCH/POST them — they may receive recordings/transcripts with PII; use HTTPS and endpoints you control. 4) Some example agent configurations reference third-party providers (Deepgram, ElevenLabs, OpenAI, Azure, etc.); enabling those integrations will require separate credentials for those services. 5) Although the skill instructs to ask for explicit user confirmation for risky actions, make sure your agent/host enforces that prompt and does not auto-execute high-impact operations without user approval. If you want stronger hygiene, ask the author to update registry metadata to declare required env variables (API key, org_id) so host/tooling can surface configuration errors up front.Like a lobster shell, security has layers — review code before you run it.
latestvk978wwvq3fhph7eh0btsn391w983xrsz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.